The Investigatory Powers Bill: Mass Surveillance in the UK

GCHQ, Ministry of Defence

A year after it was first proposed, and with the government mired in a Brexit fuelled crisis, the UK’s new mass surveillance regime last week passed its third reading in the House of Lords and is soon to become law.

The Investigatory Powers Bill – aka the Snooper’s Charter – is reminiscent of the US Patriot Act, which was hastily passed 45 days after 9/11 in the name of national security. This conservative government finds itself in a not too dissimilar crisis and, with a distracted public and media, this fundamental curtailment of legal rights is quietly working its way onto the UK statute books.

The bill is a comprehensive surveillance law that was drafted after three inquiries highlighted flaws in the Regulation of Investigatory Powers Act 2000 (‘RIPA’), the existing UK surveillance framework. According to The Home Office, the law is needed to allow the authorities more oversight than ever before for national security reasons.

Open Rights Group’s executive director, Jim Killock, commented after the bill was passed by the House of Lords that the UK was ‘one step closer to having one of the most extreme surveillance laws ever passed in a democracy’. ‘Despite attempts by the Lib Dems and Greens to restrain these draconian powers, the Bill is still a threat to the British public’s right to privacy,’ he said. According to the Open Rights Group, the new Bill ‘fails to restrain mass surveillance by the police and security services and even extends their powers’.

The Snooper’s Charter sets out an all-encompassing framework for legal surveillance of equipment and data in the UK and abroad. Couched in the widest possible language, the Investigatory Powers Act will give the security and intelligence agencies, and law enforcement chiefs, extensive powers to ‘obtain communications, equipment data or other information’ for the ostensible purposes of national security and tackling crime.

The opportunities for abuse are rife and the new law risks entrenching an already present culture of mass intelligence gathering operations in violation of human rights law. The law will extend from monitoring mobile phones, computers, email systems, and their users to surveilling private residences and vehicles. Telecommunications companies, including major tech companies like Facebook and Google, will be duty bound to provide user data to the authorities pursuant to the Act.

The lengthy bill and its accompanying guidance make for chilling reading. The bulk hacking and surveillance for which the bill provides is defined as ‘equipment Interference,’ a term similar to the euphemistic language adopted by governments in the past to disguise other attacks on basic rights (see enhanced interrogation techniques).

According to the draft guidance, warrants ‘may authorize both physical interference (e.g. covertly downloading data from a device to which physical access has been gained) and remote interference (e.g. installing a piece of software on to a device over a wired and/or wireless network in order to remotely extract information from the device’ and this includes ‘live interception of an online video call.’

Equipment interference, the guidance continues, ranges from ‘covertly downloading data from a subject’s mobile device when it is left unattended’ to ‘more complex equipment interference operations… exploiting existing vulnerabilities in software in order to gain control of devices or networks…or monitor the user of the device.’ The ambition is to track ‘every keystroke entered by users.’

The legislation will allow for ‘bulk equipment interference’ whereby equipment data can be obtained from a large number of qualifying devices in a specified location (the size of the location is not specified). Even the most targeted interferences in the UK will encompass ‘incidental conduct’ which can include ‘interference with non-target equipment’ and ‘intrusive surveillance’ of, according to the example given in the guidance, residences and private vehicles – without requiring a separate warrant.

Too much data?Compelling evidence as to the efficacy of the mass surveillance was presented to Joint Committee on the draft Investigatory Powers Bill by US intelligence officer turned whistleblower, William Binney, in light of the US experience. Aside from the obvious intrusion into the private lives of citizens, he warned MPs that increasing the mass surveillance powers of intelligence agencies ‘costs lives, and has cost lives in Britain because it inundates analysts with too much data.’

Other critics of the measures taken in the US, including Judge Richard Leon, stated that there was an ‘utter lack of evidence that a terrorist attack has ever been prevented because searching the National Security Agency database was faster than other investigative tactics.’

The parliamentary debate in the UK has focused mainly on ensuring that some safeguards were included in the legislation. Again however, the exceptions are subject to exceptions. Whereas technically a warrant is required to carry out both targeted and bulk equipment interference, warrants can be issued by the secretary of state subject to approval of a judicial commissioner. According to the guidance, when considering the approval of warrant, judicial commissioners ‘must apply the same principles as would be applied by a court on an application for judicial review.’ However, there is no requirement for a formal legal instrument to be issued.

Liberty have dubbed the judicial commissioners, likely to be serving or former high court judges, as ‘little more than glorified rubber-stampers’ who will ‘only be able to disagree with outrageously unreasonable requests.’ The judicial commissioners will not have the final say, with any disagreement between the Secretary of State and the judicial commissioner being resolved by appeal to Investigatory Powers Commissioner. In ‘urgent’ cases the government can circumvent the requirement for the approval of the judicial commissioner completely for up to three days. What happens to data wrongly obtained during this period is not specified in the guidance.

The Act will also impose obligations on companies that provide telecommunications services in the UK (communication service providers or CSPs). As in the US, tech companies like Skype, Facebook, Twitter, Google and various mobile carriers will have to turn over user information if required pursuant to the Act. The definition of CSP will also include internet based services such as email, messaging applications and cloud based services. The guidance further stipulates that communication services provided ancillary to other services e.g. networks connected to hotels, airport lounges or public transport, will also be caught.

CSPs will be required to provide assistance in giving effect to a equipment interference warrant and may also be required to provide technical capability to give effect to interception. Under the Act, security services and police forces will be able to access communications data when it is needed to help their investigations. In order to facilitate this, internet services providers will have to store internet history data including information relating to all the websites visited by a user in the last 12 months.

The record of UK intelligence and security services with regards to illegal surveillance is not encouraging. As revealed by leaked documents in 2015, GCHQ engaged in what was subsequently found to be an illegal intelligence sharing operation with the NSA. The Guardian reported at the time:

‘While much of the outcry over the Snowden stories around the world has focused on the NSA, GCHQ has often been much more flagrant in its violations of privacy rights of the world’s citizens. Indeed, Snowden has repeatedly mentioned – including the first time he met with journalists in Hong Kong – that GCHQ’s activities are much worse than the NSA. Reporting since that meeting has revealed GCHQ’s ‘full intake’ tapping of Internet cables, its mass interception of journalists’ emails, its aggressive hacking of non-terrorist groups that are not a threat to the government, and many other disturbin[g] revelations.’

The Act risks creating a legal framework for indiscriminate intelligence operations which violate the rights of private citizens. GCHQ has thus far acted with relative impunity, something that is likely to continue with the passing of the Act. The new law will take us yet further from the jurisprudence of the European Court of Human Rights, and the EU, while recent political developments will further effect data and intelligence sharing arrangements with the UK’s key allies in the EU.

The government’s insistence on imposing a comprehensive mass surveillance regime in the UK, and abroad, in light of the evidence which suggests it is not fit for purpose, flies in the face of the laissez faire approach to government which the Conservative party claims to stand for. It looks increasing to be the case that government interference is only allowed as a curtailment of rights – while regulation and law designed to protect rights is branded ‘red-tape’ and faces the guillotine.

The IP Bill will now return to the House of Commons for a final vote.

About Mehdi ShakarchiMehdi Shakarchi is a solicitor with a particular interest in criminal defence and human rights. He is currently an intern with Reprieve's Middle East death penalty team and a commissioning editor with the Justice Gap